ci: switch to GitHub-hosted runners (#27) #26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| - cron: "17 4 * * 1" | |
| workflow_dispatch: | |
| concurrency: | |
| group: security-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| dependency-audit: | |
| name: Dependency Audit | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Set up uv | |
| uses: astral-sh/setup-uv@a2a8b00df0aa22a77a33ee5f956c2128661fabeb # v7 | |
| - name: Install dependencies | |
| run: uv sync --extra dev | |
| - name: Run pip-audit | |
| run: uvx pip-audit --ignore-vuln CVE-2026-4539 | |
| bandit-sast: | |
| name: Bandit SAST | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Set up uv | |
| uses: astral-sh/setup-uv@a2a8b00df0aa22a77a33ee5f956c2128661fabeb # v7 | |
| - name: Install bandit | |
| run: uv tool install bandit | |
| - name: Run Bandit | |
| run: bandit -r src/ -c pyproject.toml || bandit -r src/ -ll | |
| secrets-scan: | |
| name: secrets-scan | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install gitleaks | |
| run: | | |
| set -euo pipefail | |
| GITLEAKS_VERSION="8.30.0" | |
| ARCHIVE="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | |
| BASE_URL="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}" | |
| curl -sSfLO "${BASE_URL}/${ARCHIVE}" | |
| curl -sSfLO "${BASE_URL}/gitleaks_${GITLEAKS_VERSION}_checksums.txt" | |
| grep " ${ARCHIVE}\$" "gitleaks_${GITLEAKS_VERSION}_checksums.txt" | sha256sum -c - | |
| tar xzf "${ARCHIVE}" | |
| mkdir -p "$HOME/.local/bin" | |
| mv gitleaks "$HOME/.local/bin/gitleaks" | |
| chmod 0755 "$HOME/.local/bin/gitleaks" | |
| echo "$HOME/.local/bin" >> "$GITHUB_PATH" | |
| - name: Run gitleaks | |
| run: gitleaks detect --source . --verbose |